[go: up one dir, main page]

CN1553341A - Client-based Network Address Assignment Method - Google Patents

Client-based Network Address Assignment Method Download PDF

Info

Publication number
CN1553341A
CN1553341A CNA03137316XA CN03137316A CN1553341A CN 1553341 A CN1553341 A CN 1553341A CN A03137316X A CNA03137316X A CN A03137316XA CN 03137316 A CN03137316 A CN 03137316A CN 1553341 A CN1553341 A CN 1553341A
Authority
CN
China
Prior art keywords
user
network address
network
authentication
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA03137316XA
Other languages
Chinese (zh)
Other versions
CN100365591C (en
Inventor
赵玉博
颜杨
周剑光
马洪波
逄涣刚
杨晓
陈伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB03137316XA priority Critical patent/CN100365591C/en
Publication of CN1553341A publication Critical patent/CN1553341A/en
Application granted granted Critical
Publication of CN100365591C publication Critical patent/CN100365591C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种基于客户端的网络地址分配方法,用户申请访问网络的网络地址;接入服务器根据其配置信息,为用户分配第一网络的网络地址,并分配用户的资源;用户发起认证请求;接入服务器对用户进行认证,并返回认证结果;客户端根据认证结果,对用户网络地址进行刷新;接入服务器根据认证结果,申请第二网络的网络地址并分配给用户。本发明通过在认证前分配一个网络地址、认证后再分配一个网络地址的二次地址分配,节约了公网地址资源,并可根据用户的认证信息选择相应的策略;用户的报文不需经过任何设备的特殊处理即可发送,支持任何协议。

Figure 03137316

The invention provides a network address allocation method based on a client. A user applies for a network address to access a network; an access server allocates a network address of a first network to the user and allocates resources of the user according to its configuration information; the user initiates an authentication request; The access server authenticates the user and returns the authentication result; the client refreshes the user's network address according to the authentication result; the access server applies for the network address of the second network and assigns it to the user according to the authentication result. The present invention saves public network address resources by allocating a network address before authentication and then allocating a network address after authentication, and can select corresponding strategies according to user authentication information; user messages do not need to go through Special handling of any device can be sent, supporting any protocol.

Figure 03137316

Description

基于客户端的网络地址分配方法Client-based Network Address Assignment Method

技术领域technical field

本发明涉及网络接入方法,具体地说,涉及用户在访问网络时的网络地址分配方法。The invention relates to a network access method, in particular to a method for assigning network addresses when users access the network.

背景技术Background technique

IP地址资源是网络资源中非常宝贵的资源之一,如果一台计算机要接入网络中,则需要获得IP地址,而该IP地址是全球唯一的,在全球统一分配,因此随着Internet的迅猛发展,IP地址资源越来越紧张。当组建局域网时,其内部的主机IP地址可以内部规划,称之为私网IP地址;当组建广域网时,IP地址由地址规划部门全局规划,称之为公网IP地址。由于私网IP地址是内部规划的,因此资源相对很充裕;而公网IP地址是在广域网使用,全球统一分配,因此地址资源非常紧张。IP address resources are one of the most valuable resources in network resources. If a computer wants to connect to the network, it needs to obtain an IP address, which is unique in the world and distributed uniformly around the world. Therefore, with the rapid development of the Internet, With development, IP address resources are becoming more and more tense. When building a LAN, the IP address of the host inside it can be planned internally, which is called a private network IP address; when building a wide area network, the IP address is planned globally by the address planning department, and is called a public network IP address. Since private network IP addresses are planned internally, the resources are relatively abundant; while public network IP addresses are used in the WAN and allocated globally, so address resources are very tight.

目前解决公网IP地址资源紧张的一个方法是采用网络地址转换(NetworkAddress Translation,简称NAT)技术,又称地址代理,用于实现私有网络IP地址与公有网络IP地址之间的转换,这样可以使多个私网IP地址对应于一个公网IP地址,达到节约公网IP地址资源的目的。At present, one method to solve the shortage of public network IP address resources is to use Network Address Translation (NAT for short) technology, also known as address proxy, which is used to realize the conversion between private network IP addresses and public network IP addresses, so that Multiple private network IP addresses correspond to one public network IP address, achieving the purpose of saving public network IP address resources.

因特网地址分配组织规定以下三个网络地址段保留用做私有网络IP地址:10.0.0.0-10.255.255.255;172.16.0.0-172.31.255.255;192.168.0.0-192.168.255.255,即上述三个网络地址段不会在Internet上被分配,可以在一个局域网内部使用。每个局域网可根据其所包含的主机数量的多少,选择一个合适的网络地址。不同的局域网的内部网络地址可以相同,如果一个局域网选择除上述三个网络地址段的网段作为内部网络地址,则可能引起路由表的混乱。The Internet Address Assignment Organization stipulates that the following three network address segments are reserved for private network IP addresses: 10.0.0.0-10.255.255.255; 172.16.0.0-172.31.255.255; It will not be distributed on the Internet and can be used within a local area network. Each LAN can choose an appropriate network address according to the number of hosts it contains. The internal network addresses of different LANs can be the same. If a LAN selects a network segment other than the above three network address segments as the internal network address, it may cause confusion in the routing table.

当局域网内部的主机访问Internet或与外部网络的主机通信时,需要经过网络地址转换。When a host in a local area network accesses the Internet or communicates with a host in an external network, it needs to go through network address translation.

图1是一个局域网中的主机访问外部网络主机的示意图。局域网内部网络的地址是10.0.0.0网段,主机1的IP地址是10.1.1.10,主机2的IP地址是10.1.1.48,各主机通过代理服务器203.196.3.23与外部网络连接,因此该局域网对外的正式IP地址是203.196.3.23。当局域网内部的主机2以www方式访问位于该局域网外的WWW服务器202.18.245.251时,主机2首先发出一个数据报文,其中源端口为6084,目的端口为80。在通过代理服务器后,该数据报文的源地址和端口改为203.196.3.23:32814,目的地址与端口不变。当外部网络的WWW服务器返回结果时,代理服务器会根据其内部的地址端口对应表将结果数据报文中的目的IP地址及端口转化为10.1.1.48:6084,这样,内部主机2就可以访问外部的服务器了。FIG. 1 is a schematic diagram of a host in a local area network accessing an external network host. The address of the internal network of the LAN is the 10.0.0.0 network segment, the IP address of the host 1 is 10.1.1.10, and the IP address of the host 2 is 10.1.1.48. Each host is connected to the external network through the proxy server 203.196.3.23, so the external network of the LAN The official IP address is 203.196.3.23. When the host 2 inside the local area network accesses the WWW server 202.18.245.251 located outside the local area network in www mode, the host 2 first sends a data packet, in which the source port is 6084 and the destination port is 80. After passing through the proxy server, the source address and port of the data packet are changed to 203.196.3.23:32814, and the destination address and port remain unchanged. When the WWW server of the external network returns the result, the proxy server will convert the destination IP address and port in the result data message to 10.1.1.48:6084 according to its internal address-port correspondence table, so that the internal host 2 can access the external server.

采用NAT方法会带来以下的问题。首先由于NAT需要对数据报文进行IP地址的转换,因此不能对涉及IP地址的数据报文的报头进行加密,从而不能采用加密的文件传输协议FTP进行连接,因为这样会导致FTP协议中的port命令不能正确地转换。其次,当出现某一台内部网络的主机攻击其他网络时,很难检测出是由哪一台主机发出的,因为主机的IP地址被屏蔽了,这样对网络安全检测带来困难。第三,由于内部网络主机的每个数据报文都需进行NAT处理,因此极大影响了报文转发的效率。第四,当域名解析服务器(简称DNS)位于局域网的外部时,会出现内部网络的用户无法通过域名访问内部网络的其他用户,如图2所示,当内部网络的主机通过域名访问同样位于内部网络的FTP服务器时,首先会到外部的DNS上请求IP地址,由于DNS位于公网中,所以它会返回一个公网的地址或找不到地址,从而导致内部网络的主机通过域名访问内部的服务器时,得到的是该服务器在公网的地址或者得不到地址,导致内部用户不能正常访问内部服务器。Adopting the NAT method will bring the following problems. First of all, because NAT needs to convert the IP address of the data message, it cannot encrypt the header of the data message involving the IP address, so that the encrypted file transfer protocol FTP cannot be used to connect, because this will cause the port in the FTP protocol Command could not be converted correctly. Secondly, when a host in a certain internal network attacks other networks, it is difficult to detect which host sends the attack, because the IP address of the host is shielded, which brings difficulties to network security detection. Third, since each data message of the internal network host needs to be processed by NAT, the efficiency of message forwarding is greatly affected. Fourth, when the domain name resolution server (DNS for short) is located outside the LAN, users on the internal network cannot access other users on the internal network through the domain name, as shown in Figure 2. When connecting to the FTP server of the network, it will first request an IP address from the external DNS. Since the DNS is located in the public network, it will return a public network address or cannot find the address, which will cause the host on the internal network to access the internal network through the domain name. When using a server, the address of the server on the public network is obtained or the address cannot be obtained, which causes internal users to be unable to access the internal server normally.

用户还可以采用认证的方式对外部网络进行访问,目前经常使用的一种认证方法是WEB认证。在进行WEB认证时,不需要安装客户端,可以直接用浏览器。采用WEB认证的系统组网图见图3。用户经二层设备(简称L2)与宽带接入服务器BAS连接,L2可以是HUB、局域网交换机等,通过BAS接入核心网中;AAA服务器和WEB服务器也分别接入核心网中。WEB认证的过程如下:用户通过动态地址分配协议DHCP获得IP地址或者通过静态配置IP地址,然后对WEB服务器进行访问,获取认证页面;用户输入用户名和密码,并提交认证请求;WEB服务器与BAS进行交互认证;BAS从WEB服务器上获得用户名和密码,对用户进行认证和计费;WEB服务器通知用户上线成功或者失败。由于用户在进行WEB认证之前需要获得IP地址,并且在认证通过后也不会替换该IP地址,因此导致公网IP地址在认证之前就进行分配,浪费了IP地址资源。Users can also use authentication to access external networks. Currently, a commonly used authentication method is WEB authentication. When performing WEB authentication, there is no need to install the client, and the browser can be used directly. The network diagram of the system using WEB authentication is shown in Figure 3. The user is connected to the broadband access server BAS through a layer 2 device (L2 for short). L2 can be a HUB, a LAN switch, etc., and accesses the core network through the BAS; the AAA server and WEB server are also respectively connected to the core network. The process of WEB authentication is as follows: the user obtains the IP address through the dynamic address allocation protocol DHCP or configures the IP address statically, and then accesses the WEB server to obtain the authentication page; the user enters the user name and password, and submits the authentication request; the WEB server communicates with the BAS Interactive authentication; BAS obtains the user name and password from the WEB server, and performs authentication and accounting for the user; the WEB server notifies the user of the success or failure of going online. Since the user needs to obtain an IP address before WEB authentication, and the IP address will not be replaced after the authentication is passed, the public network IP address is allocated before the authentication, wasting IP address resources.

对于其他的认证方式,如满足802.1x的拨号认证,也可以首先通过DHCP获得IP地址,然后进行拨号认证,故而也会存在浪费公网IP地址资源的问题。For other authentication methods, such as dial-up authentication that meets 802.1x, you can also obtain an IP address through DHCP first, and then perform dial-up authentication, so there will also be a problem of wasting public network IP address resources.

发明内容Contents of the invention

本发明所要解决的技术问题在于提供一种基于客户端的网络地址分配方法,用于解决公网IP地址资源紧张的问题,并实现用户在不同网络之间的切换,使得用户在获得网络地址后可以直接收发数据报文。The technical problem to be solved by the present invention is to provide a network address allocation method based on the client, which is used to solve the problem of shortage of public network IP address resources, and realize the switching between different networks for users, so that users can obtain network addresses. Send and receive data packets directly.

本发明所述基于客户端的网络地址分配方法,在用户认证的过程中,通过在认证前为用户分配一个网络地址,在认证后又分配另一个网络地址,使得网络资源得以合理利用;所述方法包括以下步骤:The client-based network address allocation method of the present invention, in the process of user authentication, assigns a network address to the user before authentication, and assigns another network address after authentication, so that network resources can be used reasonably; the method Include the following steps:

步骤一,用户申请访问网络的网络地址;Step 1, the user applies for a network address to access the network;

步骤二,接入服务器为用户分配第一网络的网络地址,并分配用户资源;Step 2, the access server allocates the network address of the first network to the user, and allocates user resources;

步骤三,用户发起认证请求;Step 3, the user initiates an authentication request;

步骤四,接入服务器对用户进行认证,并返回认证结果;Step 4, the access server authenticates the user and returns the authentication result;

步骤五,客户端根据认证结果,对用户的网络地址进行刷新;Step 5, the client refreshes the user's network address according to the authentication result;

步骤六,接入服务器申请第二网络的网络地址并分配给用户。In step six, the access server applies for a network address of the second network and assigns it to the user.

其中,所述第一网络的网络地址可以是私网的网络地址,也可以是公网的网络地址;所述第二网络的网络地址是公网的网络地址。Wherein, the network address of the first network may be a network address of a private network or a network address of a public network; the network address of the second network is a network address of a public network.

所述接入服务器优选宽带接入服务器。The access server is preferably a broadband access server.

本发明通过在认证前分配一个网络地址、认证后刷新地址并再分配一个网络地址的二次地址分配,有效地节约了公网IP地址资源,并可根据用户的认证信息进行相应的策略选择,例如用户user1和user2在认证前都是由私网DHCP服务器分配地址,在认证后,用户user1可以从运营商ISP1的DHCP服务器1中分配地址,而用户user2则可从运营商ISP2的DHCP服务器2中分配地址,从而使地址资源可以根据用户的认证结果进行策略分配。其次,采用本发明方法进行认证后,用户的报文不需要经过任何设备的特殊处理即可发送,比采用NAT技术的效率高,同时也不需要对报文中的地址信息进行特殊处理,支持任何协议。另外,本发明还增强了接入服务器的管理功能,使组网更灵活。The present invention effectively saves public network IP address resources by allocating a network address before authentication, refreshing the address after authentication, and allocating another network address, and can select corresponding strategies according to user authentication information. For example, users user1 and user2 are assigned addresses by the private network DHCP server before authentication. After authentication, user user1 can assign addresses from the DHCP server 1 of the operator ISP1, while user user2 can assign addresses from the DHCP server 2 of the operator ISP2. Allocate addresses in the network, so that address resources can be allocated according to user authentication results. Secondly, after using the method of the present invention for authentication, the user's message can be sent without special processing by any device, which is more efficient than using NAT technology, and does not require special processing of the address information in the message, supporting any agreement. In addition, the invention also enhances the management function of the access server, making the networking more flexible.

附图说明Description of drawings

图1是局域网中的主机采用NAT技术访问外部网络的网络示意图;Fig. 1 is a schematic diagram of a network in which a host in a local area network uses NAT technology to access an external network;

图2是内部网络的主机通过域名访问FTP服务器的网络示意图;Fig. 2 is the network schematic diagram that the main frame of internal network accesses FTP server through domain name;

图3是采用WEB认证方法的网络示意图;Fig. 3 is a schematic diagram of a network using a WEB authentication method;

图4是本发明网络地址分配方法的流程图;Fig. 4 is the flowchart of the network address assignment method of the present invention;

图5是本发明方法的具体实施例1的网络组网示意图;Fig. 5 is a schematic diagram of network networking of specific embodiment 1 of the method of the present invention;

图6是本发明方法的具体实施例1的业务流程示意图;Fig. 6 is a schematic diagram of the business process of Embodiment 1 of the method of the present invention;

图7是本发明方法的具体实施例2的业务流程示意图。Fig. 7 is a schematic diagram of the business process of Embodiment 2 of the method of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例,对本发明做进一步的详细描述。The present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.

图1至图3是应用现有技术的网络的示意图,已在背景技术部分详细描述,此处不再赘述。FIG. 1 to FIG. 3 are schematic diagrams of networks applying the prior art, which have been described in detail in the background technology section, and will not be repeated here.

为了解决现有技术存在的问题,本发明基于客户端的网络地址分配方法的基本思想是在认证前为用户分配一个网络地址,认证后再分配一个网络地址,使网络资源得以合理利用。为了节约公网IP地址的资源,一般采用在认证前为用户分配私网IP地址,在认证后分配公网IP地址;也可以都分配公网IP地址,但根据认证前后的不同用户策略,以实现用户在不同互联网服务提供商ISP之间的切换。In order to solve the existing problems in the prior art, the basic idea of the client-based network address allocation method of the present invention is to allocate a network address to the user before authentication, and allocate another network address after authentication, so that network resources can be used reasonably. In order to save public IP address resources, users are generally assigned private IP addresses before authentication and public IP addresses after authentication; public IP addresses can also be assigned, but according to different user policies before and after authentication, the Realize users switching between different Internet service providers ISP.

本发明基于客户端的网络地址分配方法可以采用多种认证方式,例如可与WEB认证结合,也可与某种拨号认证结合。下面以分别与上述两种认证方式结合的网络地址分配为例,进行详细的描述。The client-based network address allocation method of the present invention can adopt multiple authentication methods, for example, it can be combined with WEB authentication, and can also be combined with some kind of dial-up authentication. The following takes the network address allocation combined with the above two authentication methods as an example to describe in detail.

具体实施例1:Specific embodiment 1:

基于客户端的WEB认证网络地址分配的典型组网如图4所示,WEB用户通过二层设备L2接入宽带接入服务器BAS,BAS、门户服务器(简称Portal服务器)、远端认证服务器(简称Radius服务器)、动态地址分配服务器(简称DHCP服务器)1和DHCP服务器2均接入网络中,其中DHCP服务器1是某一私网的DHCP服务器,DHCP服务器2是公网的DHCP服务器,BAS中可内置地址池,Portal服务器用于提供web认证页面。与DHCP服务器的通讯采用DHCP协议;与Radius服务器的通讯采用radius协议;与Portal服务器的通讯采用portal协议。The typical network of client-based WEB authentication network address allocation is shown in Figure 4. WEB users access the broadband access server BAS through the layer 2 device L2, BAS, portal server (Portal server for short), and remote authentication server (Radius for short). Server), dynamic address assignment server (referred to as DHCP server) 1 and DHCP server 2 are all connected to the network, wherein DHCP server 1 is a DHCP server of a private network, and DHCP server 2 is a public network DHCP server, which can be built into the BAS The address pool used by the Portal server to provide web authentication pages. The communication with the DHCP server adopts the DHCP protocol; the communication with the Radius server adopts the radius protocol; the communication with the Portal server adopts the portal protocol.

如图5所示的基于客户端的WEB认证网络地址分配的业务流程图,用户通过DHCP协议申请IP地址,该DHCP报文被BAS截获,在BAS中的配置信息包括如何处理某个用户请求分配IP地址的请求,到哪个DHCP服务器申请地址,例如指定BAS设备中来自端口1的带有虚拟局域网标记VLAN ID的用户到DHCP服务器10.0.0.2申请地址;来自端口2的不带虚拟局域网标记VLAN ID的用户到DHCP服务器11.0.0.2申请地址。BAS在收到DHCP报文后,根据其配置信息为用户选择指定的私网的DHCP服务器1,并作为一个DHCP中继向DHCP服务器1申请IP地址,获得一个私网IP地址;或者BAS也可以从其内部地址池中为用户选择一个地址。As shown in Figure 5, the business flow chart of client-based WEB authentication network address assignment, the user applies for an IP address through the DHCP protocol, the DHCP message is intercepted by the BAS, and the configuration information in the BAS includes how to handle a user request to assign an IP address. Address request, to which DHCP server to apply for an address, for example, specifying a user with a virtual LAN tag VLAN ID from port 1 in the BAS device to apply for an address from the DHCP server 10.0.0.2; a user from port 2 without a virtual LAN tag VLAN ID The user applies for an address from the DHCP server 11.0.0.2. After receiving the DHCP message, the BAS selects the specified private network DHCP server 1 for the user according to its configuration information, and acts as a DHCP relay to apply for an IP address from the DHCP server 1 to obtain a private network IP address; or the BAS can also Select an address for the user from its internal address pool.

BAS设备在为用户分配地址的同时,也为用户分配资源,如用户表项、地址解析协议表项、用户日志、流匹配表等,并添加用户策略,用户策略包括分配给用户的权限,例如可以访问哪些网站、不可以访问哪些网站、用户的流量限制是多少、允许用户开展哪些业务等,访问控制列表ACL、宽带地址限制CAR、用户优先级、服务质量QOS等,例如“允许访问Portal服务器和web网站1,不能访问web网站2;用户访问不允许访问的web网站时强制访问Portal服务器”,使得用户在认证前只能访问指定的地址,如PORTAL服务器或DNS服务器等。因此对于上述用户策略,如果用户在认证前访问web网站2时,会被强制访问Portal服务器;如果用户访问web网站1,则允许其进行访问。While allocating addresses for users, the BAS device also allocates resources for users, such as user entries, address resolution protocol entries, user logs, flow matching tables, etc., and adds user policies, which include permissions assigned to users, for example Which websites can be accessed, which websites cannot be accessed, what is the user's traffic limit, what services are allowed to the user, etc., access control list ACL, broadband address restriction CAR, user priority, quality of service QOS, etc., for example, "allow access to Portal server and web site 1, cannot access web site 2; when a user accesses a web site that is not allowed to access, the user is forced to access the Portal server", so that the user can only access the specified address before authentication, such as the PORTAL server or DNS server. Therefore, for the above user policy, if the user visits web site 2 before authentication, he will be forced to visit the Portal server; if the user visits web site 1, he will be allowed to access.

用户启动浏览器,访问Portal服务器,获得认证页面;如果用户访问其他不允许访问的地址,则BAS强制用户访问Portal服务器,获得认证页面。用户输入用户名和密码后提交认证请求,通过HTTP协议发送到Portal服务器进行解析。Portal服务器通过Portal协议与BAS进行交互,使得BAS获得用户名和密码。BAS根据用户名的后缀判断是进行本地认证还是进行radius认证,如果是进行radius认证,则将用户名和密码通过radius协议送到Radius服务器,Radius服务器取出用户名和密码,与Radius服务器本地配置的用户名和密码进行匹配,如果匹配,则认证成功,否则认证失败;如果进行本地认证,则将用户的用户名和密码与本地配置的用户名和密码进行匹配,如果匹配,则认证成功,否则认证失败;在认证结束后产生认证结果,认证结果中需包含是否需要再次进行地址分配的属性,还包含用户的授权信息,如宽带地址限制CAR、用户剩余的上网时间、用户优先级等。BAS通过Portal协议,将认证结果通知Portal服务器。如果认证成功并需要进行再次地址分配,则Portal服务器下发认证结果页面和客户端小程序,如JAVA APPLET、ACTIVEX等,由客户端小程序进行用户IP地址的刷新,先释放原私网IP地址,再申请新的IP地址。BAS获得用户申请新的IP地址的报文后,根据用户认证结果中包含的授权信息到指定的公网DHCP服务器2上申请公网地址,并将申请的公网地址返回用户。用户获得公网地址后,BAS通过Portal协议通知Portal服务器用户的IP地址已改变,并在得到地址改变确认响应后释放用户的私网地址。BAS为用户刷新用户策略,例如“允许访问任何地址,但第一次访问网页时强制访问Portal服务器”,使得用户可以访问指定的公网地址。至此,基于客户端的网络地址分配上线过程完成。根据新的用户策略,当用户在认证后第一次访问web网站2时,被强制访问Portal服务器;第二次访问web网站2时,即可允许访问。当用户下线时,释放公网IP地址。The user starts the browser, accesses the Portal server, and obtains the authentication page; if the user accesses other addresses that are not allowed to be accessed, the BAS forces the user to access the Portal server, and obtains the authentication page. After the user enters the user name and password, the user submits an authentication request, which is sent to the Portal server through the HTTP protocol for analysis. The Portal server interacts with the BAS through the Portal protocol, so that the BAS obtains the user name and password. The BAS judges whether to perform local authentication or radius authentication according to the suffix of the user name. If it is to perform radius authentication, it sends the user name and password to the Radius server through the radius protocol. If they match, the authentication succeeds, otherwise the authentication fails; if local authentication is performed, the user's username and password are matched with the locally configured username and password, if they match, the authentication succeeds, otherwise the authentication fails; After the end, the authentication result will be generated. The authentication result needs to include whether the address needs to be assigned again, and also includes the authorization information of the user, such as broadband address limit CAR, the user's remaining online time, user priority, etc. The BAS notifies the Portal server of the authentication result through the Portal protocol. If the authentication is successful and another address allocation is required, the Portal server will issue the authentication result page and client applets, such as JAVA APPLET, ACTIVEX, etc., and the client applet will refresh the user IP address and release the original private network IP address first. , and then apply for a new IP address. After the BAS obtains the message that the user applies for a new IP address, it goes to the designated public network DHCP server 2 to apply for a public network address according to the authorization information included in the user authentication result, and returns the applied public network address to the user. After the user obtains the public network address, the BAS notifies the Portal server that the user's IP address has changed through the Portal protocol, and releases the user's private network address after receiving an address change confirmation response. BAS refreshes the user policy for the user, such as "Allow access to any address, but force access to the Portal server when accessing the webpage for the first time", so that the user can access the specified public network address. So far, the online process of client-based network address allocation is completed. According to the new user policy, when the user visits the web site 2 for the first time after authentication, he is forced to visit the Portal server; when he visits the web site 2 for the second time, the access is allowed. When the user goes offline, the public IP address is released.

具体实施例2:Specific embodiment 2:

基于客户端的拨号认证网络地址分配的网络组网也可以采用图4的结构,由于是拨号认证,因此可不需要Portal服务器。业务流程图如图6所示。用户通过DHCP协议申请IP地址,该DHCP报文被BAS截获,BAS根据配置信息,为用户选择指定的私网的DHCP服务器1,BAS作为一个DHCP中继向DHCP服务器1申请地址;或者由BAS从配置的内部地址池中选择一个地址给用户。The network networking based on client-side dial-up authentication network address allocation can also adopt the structure shown in Figure 4, because it is dial-up authentication, so the Portal server may not be needed. The business flow chart is shown in Figure 6. The user applies for an IP address through the DHCP protocol. The DHCP message is intercepted by the BAS. The BAS selects the specified private network DHCP server 1 for the user according to the configuration information. The BAS acts as a DHCP relay to apply for an address from the DHCP server 1; Select an address from the configured internal address pool for the user.

BAS在为用户分配私网地址的同时,在内部为用户分配资源,添加用户策略,如“可以访问web网站1,不能访问web网站2;用户访问不允许访问的地址时强制到web网站1”,修改访问控制列表ACL,使用户在认证前只能访问指定的地址。对于该策略,在认证前,如果用户访问web网站2,则被强制访问web网站1;如果用户访问web网站1,则允许其访问。While allocating private network addresses for users, BAS internally allocates resources for users and adds user policies, such as "you can access web site 1, but cannot access web site 2; when users access addresses that are not allowed to access, they are forced to web site 1." , modify the access control list ACL, so that the user can only access the specified address before authentication. For this policy, before authentication, if the user visits web site 2, he is forced to visit web site 1; if the user visits web site 1, his access is allowed.

用户输入用户名和密码,进行拨号。BAS根据用户名的后缀确定是本地认证还是radius认证,如果是radius认证,则通过radius协议将用户名和密码发送到radius服务器中,对用户进行认证;如果是本地认证,则在本地根据用户名和密码对用户进行认证。认证结束后产生认证结果,在认证结果中需包含是否需要进行再次地址分配的属性,还包括用户的授权信息,如宽带地址限制CAR、用户剩余的上网时间、用户优先级等。BAS将认证结果通知客户端,拨号器根据认证结果,刷新用户的IP地址,先释放原IP地址,再申请新的IP地址。BAS根据用户认证结果中的授权信息,到指定的公网DHCP服务器2申请公网地址,将新的公网地址返回给用户,并释放到用户的私网地址。BAS为用户刷新用户策略,如“允许访问人和地址,但第一次访问网页时需强制到web网站1”,修改用户属性,如ACL等,使用户可以访问指定的公网地址。至此,基于客户端的网络地址分配上线过程完成。当用户第一次访问网页时,强制访问web网站1;第二次访问web网站2,则允许进行访问。用户下线时释放公网IP地址。The user enters the user name and password to dial. BAS determines whether it is local authentication or radius authentication according to the suffix of the user name. If it is radius authentication, it will send the user name and password to the radius server through the radius protocol to authenticate the user; if it is local authentication, it will use the user name and password locally. Authenticate the user. After the authentication is completed, an authentication result is generated. The authentication result needs to include the attribute of whether to re-allocate the address, as well as the user's authorization information, such as the broadband address limit CAR, the user's remaining online time, and user priority. The BAS notifies the client of the authentication result, and the dialer refreshes the user's IP address according to the authentication result, first releases the original IP address, and then applies for a new IP address. According to the authorization information in the user authentication result, the BAS goes to the designated public network DHCP server 2 to apply for a public network address, returns the new public network address to the user, and releases it to the user's private network address. BAS refreshes the user policy for the user, such as "allow access to people and addresses, but must be forced to web site 1 when accessing the web page for the first time", and modifies user attributes, such as ACL, so that the user can access the specified public network address. So far, the online process of client-based network address allocation is completed. When the user visits the webpage for the first time, he is forced to visit web site 1; when he visits web site 2 for the second time, he is allowed to visit. The public IP address is released when the user goes offline.

在上述两个实施例中,认证前分配的网络地址都是私网IP地址,在认证后再分配公网IP地址。在实践中,认证前后的网络地址也可以都是公网IP地址,以实现用户在不同ISP之间的切换。例如用户在认证前默认是属于运营商1的,其网络地址由运营商1分配,可以访问的网站也由运营商1规定。如果该用户需要切换运营商,则需经过运营商2的认证,获得运营商2给予的权限,因此在认证通过后,应释放运营商1分配的网络地址,申请运营商2分配的地址。In the above two embodiments, the network addresses assigned before the authentication are all private network IP addresses, and the public network IP addresses are assigned after the authentication. In practice, the network addresses before and after authentication can also be public IP addresses, so as to realize switching between different ISPs for users. For example, the user belongs to operator 1 by default before authentication, and its network address is allocated by operator 1, and the websites that can be accessed are also specified by operator 1. If the user needs to switch operators, he needs to be authenticated by operator 2 to obtain the authority granted by operator 2. Therefore, after the authentication is passed, the network address allocated by operator 1 should be released and the address allocated by operator 2 should be applied.

最后所应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,其均应涵盖在本发明的权利要求范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be Modifications or equivalent replacements of the technical solutions without departing from the spirit and scope of the technical solutions of the present invention shall be covered by the scope of the claims of the present invention.

Claims (14)

1、一种基于客户端的网络地址分配方法,其特征在于,包括以下步骤:1. A client-based network address allocation method, characterized in that, comprising the following steps: 步骤一,用户申请访问网络的网络地址;Step 1, the user applies for a network address to access the network; 步骤二,接入服务器为用户分配第一网络的网络地址,并分配用户资源;Step 2, the access server allocates the network address of the first network to the user, and allocates user resources; 步骤三,用户发起认证请求;Step 3, the user initiates an authentication request; 步骤四,接入服务器对用户进行认证,并返回认证结果;Step 4, the access server authenticates the user and returns the authentication result; 步骤五,客户端根据认证结果,对用户的网络地址进行刷新;Step 5, the client refreshes the user's network address according to the authentication result; 步骤六,接入服务器申请第二网络的网络地址并分配给用户。In step six, the access server applies for a network address of the second network and assigns it to the user. 2、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述第一网络的网络地址是私网的网络地址;所述第二网络的网络地址是公网的网络地址。2. The client-based network address assignment method according to claim 1, wherein the network address of the first network is a network address of a private network; the network address of the second network is a network address of a public network . 3、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述第一网络的网络地址和所述第二网络的网络地址都是公网的网络地址。3. The client-based network address assignment method according to claim 1, characterized in that, both the network address of the first network and the network address of the second network are network addresses of a public network. 4、根据权利要求2或3所述的基于客户端的网络地址分配方法,其特征在于,所述步骤二中,接入服务器向第一网络的动态地址分配服务器申请网络地址,并将其分配给用户。4. The client-based network address allocation method according to claim 2 or 3, characterized in that in said step 2, the access server applies for a network address from the dynamic address allocation server of the first network, and allocates it to user. 5、根据权利要求2或3所述的基于客户端的网络地址分配方法,其特征在于,所述步骤二中,接入服务器从其内部地址池中为用户选择一个地址。5. The client-based network address allocation method according to claim 2 or 3, characterized in that, in the second step, the access server selects an address for the user from its internal address pool. 6、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述步骤二还包括在为用户分配网络地址的同时,为用户添加用户策略的步骤,其中所述用户策略至少包括分配给用户的权限,所述权限至少包括允许访问的地址、不允许访问的地址、用户的流量限制、允许开展的业务。6. The client-based network address assignment method according to claim 1, characterized in that said step 2 further includes the step of adding a user policy to the user while assigning the network address to the user, wherein the user policy is at least It includes permissions assigned to users, and the permissions at least include addresses that are allowed to be accessed, addresses that are not allowed to be accessed, traffic restrictions for users, and services that are allowed to be carried out. 7、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述步骤四进一步包括:用户输入的用户名和密码被发送到接入服务器;接入服务器根据用户名的后缀,判断是进行远端用户拔入radius认证还是进行本地认证,如果是radius认证,则将用户名和密码通过Radius协议发送到远端认证服务器中,由远端认证服务器进行认证,所得的认证结果返回接入服务器;如果进行本地认证,则将用户的用户名和密码在本地进行认证,得到认证结果;如果需要进行再次地址分配,则接入服务器通知客户端认证成功并需要进行再次地址分配。7. The client-based network address assignment method according to claim 1, wherein said step 4 further comprises: the user name and password input by the user are sent to the access server; the access server, according to the suffix of the user name, Determine whether to perform remote user login radius authentication or local authentication. If it is radius authentication, send the user name and password to the remote authentication server through the Radius protocol. The remote authentication server performs authentication, and the obtained authentication result is returned to the receiving If the local authentication is performed, the user name and password of the user will be authenticated locally to obtain the authentication result; if the address needs to be reassigned, the access server will notify the client that the authentication is successful and the address needs to be reassigned. 8、根据权利要求7所述的基于客户端的网络地址分配方法,其特征在于,所述认证结果至少包含是否需要进行再次地址分配的属性和用户的授权信息。8. The client-based network address allocation method according to claim 7, wherein the authentication result at least includes the attribute of whether re-allocation of the address is required and the authorization information of the user. 9、根据权利要求7所述的基于客户端的网络地址分配方法,其特征在于,所述认证方式采用WEB认证或拨号认证。9. The client-based network address assignment method according to claim 7, wherein the authentication method adopts WEB authentication or dial-up authentication. 10、根据权利要求9所述的基于客户端的网络地址分配方法,其特征在于,对于WEB认证,所述认证流程还包括:用户输入的用户名和密码首先被发送到门户服务器中解析,门户服务器通过Portal协议将用户名和密码发送到接入服务器;得到认证结果后,接入服务器通知门户服务器,由门户服务器将认证结果返回给客户端。10. The client-based network address assignment method according to claim 9, characterized in that, for WEB authentication, the authentication process further includes: the user name and password input by the user are first sent to the portal server for analysis, and the portal server passes The Portal protocol sends the user name and password to the access server; after obtaining the authentication result, the access server notifies the portal server, and the portal server returns the authentication result to the client. 11、根据权利要求10所述的基于客户端的网络地址分配方法,其特征在于,所述方法还包括用户获得第二网络的网络地址后,接入服务器通知门户服务器用户的网络地址已改变的步骤。11. The client-based network address assignment method according to claim 10, characterized in that the method further comprises the step of the access server notifying the portal server that the user's network address has changed after the user obtains the network address of the second network . 12、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述步骤五中,客户端采用JAVA APPLET或者ACTIVEX程序刷新用户的网络地址,即先释放原网络地址,再申请新的网络地址。12. The client-based network address assignment method according to claim 1, characterized in that, in step five, the client uses the JAVA APPLET or ACTIVEX program to refresh the user's network address, that is, release the original network address first, and then apply for new network address. 13、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述步骤六还包括在为用户分配网络地址的同时,修改用户策略。13. The method for allocating network addresses based on clients according to claim 1, wherein said step six further comprises modifying user policies while allocating network addresses to users. 14、根据权利要求1所述的基于客户端的网络地址分配方法,其特征在于,所述方法还包括用户下线时释放第二网络的网络地址的步骤。14. The client-based network address assignment method according to claim 1, further comprising the step of releasing the network address of the second network when the user goes offline.
CNB03137316XA 2003-06-08 2003-06-08 Client-based Network Address Assignment Method Expired - Lifetime CN100365591C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB03137316XA CN100365591C (en) 2003-06-08 2003-06-08 Client-based Network Address Assignment Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB03137316XA CN100365591C (en) 2003-06-08 2003-06-08 Client-based Network Address Assignment Method

Publications (2)

Publication Number Publication Date
CN1553341A true CN1553341A (en) 2004-12-08
CN100365591C CN100365591C (en) 2008-01-30

Family

ID=34323562

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB03137316XA Expired - Lifetime CN100365591C (en) 2003-06-08 2003-06-08 Client-based Network Address Assignment Method

Country Status (1)

Country Link
CN (1) CN100365591C (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056178B (en) * 2007-05-28 2010-07-07 中兴通讯股份有限公司 A method and system for controlling user network access authority
CN102075567A (en) * 2010-12-24 2011-05-25 北京星网锐捷网络技术有限公司 Authentication method, client, server, feedthrough server and authentication system
CN102413199A (en) * 2011-10-20 2012-04-11 江苏省邮电规划设计院有限责任公司 System and method for creating and reporting address mapping relations by broadband remote access server
CN102594939A (en) * 2012-02-16 2012-07-18 杭州华三通信技术有限公司 Secondary address allocation method and device
CN103068052A (en) * 2013-01-17 2013-04-24 中国联合网络通信集团有限公司 Dynamic configuration method and system of resources and portal server
CN103117947A (en) * 2013-01-28 2013-05-22 中兴通讯股份有限公司 Load sharing method and device
CN103581354A (en) * 2012-08-03 2014-02-12 中国电信股份有限公司 Network address allocation method and system
CN104038352A (en) * 2004-12-16 2014-09-10 艾利森电话股份有限公司 Method and system for transmitting liability data in telecommunication network
CN104519138A (en) * 2014-12-31 2015-04-15 北京东土科技股份有限公司 Data transmission method and data transmission system based on distributed FTP
CN108076164A (en) * 2016-11-16 2018-05-25 新华三技术有限公司 Access control method and device
CN108206772A (en) * 2016-12-20 2018-06-26 中兴通讯股份有限公司 A kind of dispatching method, system and controller
CN109462568A (en) * 2017-09-06 2019-03-12 中国电信股份有限公司 Portal authentication method, system and Portal proxy server
CN112788028A (en) * 2021-01-10 2021-05-11 何顺民 Method and system for acquiring network parameters
CN114422473A (en) * 2017-04-19 2022-04-29 中兴通讯股份有限公司 IP address allocation method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE407503T1 (en) * 1999-07-02 2008-09-15 Nokia Corp AUTHENTICATION METHOD AND SYSTEM
JP3447687B2 (en) * 2000-10-13 2003-09-16 日本電気株式会社 Wireless network system and network address assignment method
CN1177445C (en) * 2001-09-29 2004-11-24 华为技术有限公司 A Security Authentication Method for PC Client

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038352A (en) * 2004-12-16 2014-09-10 艾利森电话股份有限公司 Method and system for transmitting liability data in telecommunication network
CN101056178B (en) * 2007-05-28 2010-07-07 中兴通讯股份有限公司 A method and system for controlling user network access authority
CN102075567A (en) * 2010-12-24 2011-05-25 北京星网锐捷网络技术有限公司 Authentication method, client, server, feedthrough server and authentication system
CN102075567B (en) * 2010-12-24 2013-09-18 北京星网锐捷网络技术有限公司 Authentication method, client, server, feedthrough server and authentication system
CN102413199A (en) * 2011-10-20 2012-04-11 江苏省邮电规划设计院有限责任公司 System and method for creating and reporting address mapping relations by broadband remote access server
CN102413199B (en) * 2011-10-20 2013-12-04 江苏省邮电规划设计院有限责任公司 System and method for creating and reporting address mapping relations by broadband remote access server
CN102594939A (en) * 2012-02-16 2012-07-18 杭州华三通信技术有限公司 Secondary address allocation method and device
CN102594939B (en) * 2012-02-16 2014-11-12 杭州华三通信技术有限公司 Secondary address allocation method and device
CN103581354A (en) * 2012-08-03 2014-02-12 中国电信股份有限公司 Network address allocation method and system
CN103068052B (en) * 2013-01-17 2016-03-02 中国联合网络通信集团有限公司 Dynamic resource allocation method, system and Portal server
CN103068052A (en) * 2013-01-17 2013-04-24 中国联合网络通信集团有限公司 Dynamic configuration method and system of resources and portal server
CN103117947B (en) * 2013-01-28 2016-06-29 中兴通讯股份有限公司 A kind of load sharing method and device
CN103117947A (en) * 2013-01-28 2013-05-22 中兴通讯股份有限公司 Load sharing method and device
US9332067B2 (en) 2013-01-28 2016-05-03 Zte Corporation Load sharing method and apparatus
CN104519138B (en) * 2014-12-31 2017-12-26 北京东土科技股份有限公司 A kind of data transmission method and system based on distributed FTP
WO2016106907A1 (en) * 2014-12-31 2016-07-07 北京东土科技股份有限公司 Method and system for transmitting data based on distributed ftp
CN104519138A (en) * 2014-12-31 2015-04-15 北京东土科技股份有限公司 Data transmission method and data transmission system based on distributed FTP
CN108076164A (en) * 2016-11-16 2018-05-25 新华三技术有限公司 Access control method and device
CN108076164B (en) * 2016-11-16 2021-03-23 新华三技术有限公司 Access control method and device
CN108206772A (en) * 2016-12-20 2018-06-26 中兴通讯股份有限公司 A kind of dispatching method, system and controller
CN114422473A (en) * 2017-04-19 2022-04-29 中兴通讯股份有限公司 IP address allocation method and device
CN114422473B (en) * 2017-04-19 2023-10-17 中兴通讯股份有限公司 IP address allocation method and device
CN109462568A (en) * 2017-09-06 2019-03-12 中国电信股份有限公司 Portal authentication method, system and Portal proxy server
CN109462568B (en) * 2017-09-06 2022-07-05 中国电信股份有限公司 Portal authentication method, system and Portal proxy server
CN112788028A (en) * 2021-01-10 2021-05-11 何顺民 Method and system for acquiring network parameters

Also Published As

Publication number Publication date
CN100365591C (en) 2008-01-30

Similar Documents

Publication Publication Date Title
US7760729B2 (en) Policy based network address translation
US10135827B2 (en) Secure access to remote resources over a network
US9237147B2 (en) Remote access manager for virtual computing services
US6801528B2 (en) System and method for dynamic simultaneous connection to multiple service providers
JP6479814B2 (en) Identity and access management based access control in virtual networks
CN100417127C (en) A User Management Method Based on Dynamic Host Configuration Protocol
CN100365591C (en) Client-based Network Address Assignment Method
WO2003055176A1 (en) Access control management
WO2008119214A1 (en) A method for accessing the internal network web service of the internet
CN113014680B (en) Broadband access method, device, equipment and storage medium
US12341754B2 (en) Private network access
CN101084657A (en) Gateway, network configuration, and method for controlling access to web server
JP3858884B2 (en) Network access gateway, network access gateway control method and program
KR20120055694A (en) User access method, system and access server, access device
CN1571383A (en) A method for implementing campus network
US20080069102A1 (en) Method and system for policy-based address allocation for secure unique local networks
CN1571349A (en) Network access control method based on MAC address
CN1798158A (en) Method for distributing second level address
WO2013150543A2 (en) Precomputed high-performance rule engine for very fast processing from complex access rules
WO2012034428A1 (en) Method and service node for ip address reassignment
CN1921496B (en) A method for DHCP client to identify DHCP server
CN1505331A (en) Compatible method for port-based authentication and transport layer-based authentication
Odagiri et al. Consideration of the User Authentication Processes for the Cloud Type of Virtual Policy Based Network Management Scheme to manage the Specific Domain
CN1571420A (en) Method for implementing dedicated network access by using PPPOE protocol
De Launois et al. Connection of extruded subnets: a solution based on RSIP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20080130